Solved: Re: Switching VLANs Required in ISE CWA with Flex Connect local switching?

Dan Davis · ‎07-03-2019

ISE CWA with Flex Connect local switching.

With this configuration does the client start off in one VLAN and then get switched to the local VLAN on the AP? I expect AAA override and CoA would be part of this? How does the client handle the re-dhcp - I expect there could be issues with some clients trying to switch their IP/VLAN.

Is it possible to NOT have the client switch VLANs, maybe the client could pull an IP locally and then once the AUP or credentials are entered the ACL would be removed allowing them to switch data locally on the AP.

hslai · ‎07-03-2019

No, this does not require VLAN change. In fact, we do not recommend VLAN changes for CWA.

ExpandBranch Office Wireless LAN Design - BRKEWN-2016 has some details in Slides 76 ~ 86 on BYOD, which works similarly to CWA, in terms of configurations in WLC.

Also see Central Web Authentication with FlexConnect APs on a WLC with ISE Configuration Example - Cisco

View solution in original post

hslai · ‎07-03-2019

No, this does not require VLAN change. In fact, we do not recommend VLAN changes for CWA.

ExpandBranch Office Wireless LAN Design - BRKEWN-2016 has some details in Slides 76 ~ 86 on BYOD, which works similarly to CWA, in terms of configurations in WLC.

Also see Central Web Authentication with FlexConnect APs on a WLC with ISE Configuration Example - Cisco